Deny this user permissions to logon to Remote Desktop Session Host Server

ow can we enable or disable 'Deny this user permissions to logon to Remote Desktop Session Host Server' for bulk users from Remote Desktop Services Profile tab in Active Directory. Also, how do we generate report of users who has this option enabled or disabled? This is urgent!!

Is there any PS1 command which can be used to generate a report of users who has this option enabled in their properties and then using another command disabled those users? DCs are with 2008R2,2012 and 2012R2..

August 24th, 2014 6:27am
Need immediate help...how can we generate the user account report for whom the option is enabled and then disable it for those set of users in active directory using powershell...

  • Edited by APBi Sunday, August 24, 2014 9:36 AM correction
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2014 7:05am

Hi APBi,

To get and set the 'Deny this user permissions to log on to Remote Desktop Session Host server' with Windows Powershell, please use ADSI adapter:

#To query the TSproperty of the users in an OU:

$Property = allowLogon

$ou = [adsi]"LDAP://ou=mytestou,dc=nwtraders,dc=com"

$users = $ou.psbase.get_children() #get all users in the ou 

Foreach($user in $users){

$user.psbase.invokeget($Property}

#To set the Tsproperty to a single AD user:

$ADUser = [ADSI]"LDAP://CN=UserName,OU=Users,DC=TestDomain,DC=com"
 $ADUser.SamAccountName #to check the account
 $ADUser.psbase.invokeSet("allowLogon",0)
 $ADUser.setinfo()

For more detailed information, please check these threads:

Hey, Scripting Guy! How Can I Edit Terminal Server Profiles for Users in Active Directory?

Best Regards,

Anna Wang


August 25th, 2014 8:07am

This doesn't work. Enabled the option in my account and ran it. But there was no change in the option. The command returned the result as, below

OverloadDefinitions                                                                                                                  
------------------- -----

please help...


Free Windows Admin Tool Kit Click here and download it now
August 25th, 2014 9:39am

Hi,

Did the get tsproperty work?

And could you get the user samaccountname?

Please also note, when the value of the "allowlogon" set to 0, the setting "Deny log on to Remote Desktop Session Host with powershell...." will be checked.

For more detailed information, please check this thread:

Deny log on to Remote Desktop Session Host with powershell on Windows Server 2012 r2:

http://social.technet.microsoft.com/Forums/en-US/b9fd595a-cf86-47c7-a9e8-0e4730d4ef11/deny-log-on-to-remote-desktop-session-host-with-powershell-on-windows-server-2012-r2?forum=winserverpowershell

Best Regards,

Anna Wang

August 25th, 2014 9:49am

Tried the same command by changing allowlogon to msTSAllowLogon, but got below error.  I could see the value as Notset in ADSIEDIT for users who has this option disabled.

Exception calling "setinfo" with "0" argument(s): "The attribute syntax specified to the directory service is invalid.
"
At line:4 char:1
+ $ADUser.setinfo()
+ ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI



Free Windows Admin Tool Kit Click here and download it now
August 25th, 2014 9:57am

Hi,

Why do you change the property AllowLogon to msTSAllowLogon?

please just copy and paste the script, and also change the username.

Best Regards,

Anna Wang

  • Marked as answer by APBi Monday, August 25, 2014 11:10 AM
August 25th, 2014 10:17am

thanks Anna..it was my mistake and the command worked now.

can you help me in getting the users list in entire domain who has this option checked and then disable it for all of them. Tried running the get command and it gives below error. 

I am looking for something which can generate the users report who has this option checked and then uncheck for those set of users.

At line:4 char:33
+ $user.psbase.invokeget($Property}
+                                 ~
Missing ')' in method call.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingEndParenthesisInMethodCall
 

Free Windows Admin Tool Kit Click here and download it now
August 25th, 2014 11:10am

Hi APBi,

My mistake, please try this script to list all users in an OU and the values of "allowlogon":

$output=@()
$Property = allowLogon
$ou = [adsi]"LDAP://ou=mytestou,dc=nwtraders,dc=com"
$users = $ou.psbase.get_children() #get all users in the ou 
Foreach($user in $users){
$allow=$user.psbase.invokeget($Property)
$object=New-Object PSObject -Property @{            
        User = $user.SamAccountName                
        allowlogon = $allow}  
$output+=$object         }

$output

Best Regards,

Anna Wang

August 26th, 2014 1:47am
Thanks Anna, I created another script which will set this for a list of users. Thanks for your help :)
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2014 6:51am

Hi Anna,

Can you pls confirm on below script? I want all users part of "Service accounts" OU, should be disabled the RDP services. Option "Deny this user permissions to log on to Remote Desktop Session Host Server" should be enabled for all users which are located in "Service Accounts" OU.

$ou = [adsi]"LDAP://OU=Service Accounts,OU=Sales,DC=TestDomain,DC=com"
$user = $ou.psbase.get_children().find('CN=UserName')
$user.psbase.invokeSet("allowLogon",0)
$user.setinfo()
April 10th, 2015 7:23am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics